Skip to main content

Main Area


Biggest data breaches of the last 20 years

  • Biggest data breaches of the last 20 years

    In 2017, the Identity Theft Resource Center released its annual Data Breach Year-End Review. The report tallied 1,579 data breaches in 2017 alone, representing a shocking 44.7% increase over 2016—and 2016's numbers were a record high at the time.

    The servers, databases, and networks maintained by businesses, banks, governmental entities, health care organizations, and even educational institutions are juicy targets for online criminals. Within those digital warehouses lies the personal data of millions and even billions of people, whose birthdays, passwords, Social Security numbers, and login credentials can be used to steal their identities, hack into their accounts, and take out loans in their names.

    The last two decades have witnessed a shocking rash of successful attacks on what many people previously believed were impenetrable security networks. The worst of them netted their masterminds vast stores of personal and financial data belonging to regular customers and account holders, many of whom wouldn't find out for years that their data had been compromised.

    Here's a look at the worst data breaches of the last 20 years.

  • #20. Uber

    Year: 2017

    Records obtained: 57,000,000

    Organization type: Transportation

    Data breach method: Hacked

    By any measurable standard, Uber had an abysmal 2017. Among the rideshare company's biggest scandals that year was the revelation that in 2016, two hackers breached the company's databases and stole phone numbers, email addresses, and other private data belonging to 57 million Uber customers as well as 600,000 drivers license numbers belonging to the company's drivers. Uber’s decision-makers made a bad thing worse by failing to alert law enforcement, which is required by law, hiding the breach from the public for the better part of a year—including the names of the hackers' victims—and, perhaps worst of all, by paying the hackers a $100,000 bounty to delete the data: a move that was universally denounced by security experts.


  • #19. Tumblr

    Year: 2013

    Records obtained: 65,469,298

    Organization type: Web

    Data breach method: Hacked

    In 2013, hackers stole personal and password information belonging to 65 million Tumblr users. The company, which at the time had not yet been purchased by Yahoo, didn't disclose the infiltration until 2016, when online sleuths found the information for sale on the so-called “dark web.”  


  • #18. Target Corporation

    Year: 2014

    Records obtained: 70,000,000

    Organization type: Retail

    Data breach method: Hacked

    Since the data was stolen between Nov. 27 and Dec. 15, some publications referred to the 2014 Target data breach as "the nightmare before Christmas." The retailer originally said that credit and debit card information—including card numbers, expiration dates and CVV numbers—for as many as 40 million customers could have been stolen by hackers starting on Black Friday weekend. The retail giant later revealed that number was actually closer to 70 million, and that the breach also included email addresses, mailing addresses, and phone numbers.


  • #17. National Archives and Records Administration (U.S. military veterans' records)

    Year: 2009

    Records obtained: 76,000,000

    Organization type: Military

    Data breach method: Lost or stolen media

    In 2010, the National Archives and Records Administration revealed that in March 2009, a two-terabyte external hard drive went missing from a processing room at a facility in College Park, Maryland. The drive contained personal information including the names and Social Security numbers of former Clinton administration staff and White House visitors.


  • #16. JPMorgan Chase

    Year: 2014

    Records obtained: 76,000,000

    Organization type: Financial

    Data breach method: Hacked

    According to a New York Times report, the 2014 JPMorgan Chase computer breach, history's largest bank hack at that time, could have been prevented with a simple security fix. Hackers gained entry into the financial giant's vast computer network by accessing an employee's login credentials and targeting the bank's weak link: a single server that the Chase security team neglected to protect with basic dual-factor authentication.


  • #15. Sony PlayStation Network

    Year: 2011

    Records obtained: 77,000,000

    Organization type: Gaming

    Data breach method: Hacked

    In 2011, gamers across the world wondered why they had been locked out of the PlayStation Network. While the lack of access was frustrating, the reason why was even more daunting. Between April 17 and 19, an unauthorized person hacked into the Sony system and stole a wealth of personal data—including birthdays, security questions, passwords, and login credentials—in one of history's biggest infiltrations into a cache of credit card data.


  • #14. Anthem Inc.

    Year: 2015

    Records obtained: 80,000,000

    Organization type: Health care

    Data breach method: Hacked

    In 2015, the second-largest health insurance company in America was the target of a massive data breach. Anthem Inc.'s CEO was among the 80 million victims whose data—including names, Social Security numbers, home addresses, birthdays, email addresses, and medical IDs—was stolen by hackers. In 2017, the company settled a class-action lawsuit in the wake of the hack.


  • #13. AOL

    Year: 2004

    Records obtained: 92,000,000

    Organization type: Web

    Data breach method: Hacked/inside job

    In 2004, a 24-year-old America Online software engineer was arrested by federal authorities for hacking into the company's computers to steal 92 million email addresses. He sold the data for $100,000 to an online gambling business owner in Las Vegas, who then relentlessly spammed those email addresses.


  • #12. MyHeritage

    Year: 2018

    Records obtained: 92,283,889

    Organization type: Genealogy

    Data breach method: Unknown

    In 2018, Israel-based DNA and genealogy company MyHeritage revealed that in October of the previous year, hackers had broken into the company's computers and stolen a massive file containing more than 92 million email addresses and passwords. Although the passwords were "hashed," which is a security measure that renders them useless if inappropriately accessed, the attack forced industry experts to take a second look at the preparedness of the DNA and genealogy industry.

  • #11. TK / TJ Maxx

    Year: 2007

    Records obtained: 94,000,000

    Organization type: Retail

    Data breach method: Hacked

    When hackers stole data from tens of millions of TJ Maxx and Marshall's customers in 2007, it was believed to be the biggest attack of its kind at that time—and that's when officials still thought there were only 45.7 million victims. It would soon come out that more than twice that number of accounts were compromised. The hackers easily bypassed the company's wired equivalent privacy (WEP) LAN security, which is notoriously weak.


2018 All rights reserved.